Hello? Is it malware you’re looking for? [OMITB] - Hacking Humans

Summary5 min read

Podcast Summary: Hacking Humans – "Hello? Is it malware you’re looking for?"

Episode Overview

In this episode of Hacking Humans, hosted by N2K Networks, cybersecurity experts Selena Larson and Dave Bittner delve into the evolving tactics of cybercriminals, particularly focusing on deception, influence, and social engineering. Released on April 1, 2025, this episode titled "Hello? Is it malware you’re looking for?" explores the shift from traditional malware attacks to more sophisticated, socially engineered threats that exploit human psychology to breach security systems.

1. Introduction to Malware Concerns

The episode kicks off with Selena and Dave discussing a peculiar behavior exhibited by their AI assistant, Archie, hinting at potential malware infection.

Selena Larson [00:06]: "Okay, Dave, so I think Archie has a virus."
Dave Bittner [00:11]: "Define virus. Because last time he just started responding to every question with, have you tried turning yourself off and on again?"

This light-hearted exchange sets the stage for a deeper conversation about malware and its implications.

2. From Malware to Social Engineering: The Emergence of Toads

The discussion transitions from traditional malware to TOADs (Telephone Oriented Attack Delivery), highlighting a significant shift in attack vectors.

Selena Larson [02:32]: "Today. I thought that we might want to talk about toads. I've had enough of robots for one day. Let's pivot and talk about toads."
Dave Bittner [03:09]: "Toads. Like ribbit, ribbit, toads. Is it. Am I hearing you correctly?"

Selena clarifies that TOADs refer to phone-based attack delivery methods, emphasizing their increasing prevalence and sophistication.

3. Real-World Examples of TOADs and Social Engineering

Selena shares firsthand accounts of how TOADs operate, showcasing their effectiveness in deceiving individuals.

Selena Larson [03:27]: "She has been receiving these emails that say, you have an invoice. And unfortunately, one of her friends called this number and was directed to install a remote management tool, essentially, and they infected her computer with malware."
Dave Bittner [05:45]: "I too have a story about this. My father had a near miss with one of these."

These anecdotes illustrate the tangible threats posed by social engineering attacks that manipulate victims into granting unauthorized access.

4. The Psychology Behind Social Engineering

The hosts delve into the psychological tactics employed by cybercriminals to bypass technical defenses.

Selena Larson [07:35]: "Fundamentally, it's a social engineering threat. And I think it's an interesting psychological thing to study."
Dave Bittner [07:27]: "Right, right, right."

They discuss how attackers leverage urgency, fear, and trust to manipulate victims, making social engineering a potent tool in the cybercriminal arsenal.

5. Mitigation Strategies: Preventing and Responding to TOADs

Selena and Dave offer practical advice on safeguarding against TOADs and responding effectively if compromised.

Selena Larson [20:04]: "The most important thing to do is always just tell people in your life, if you receive an email that says you have an outstanding invoice, do not call the number that is in the email."
Dave Bittner [23:19]: "Don't click the links is the abstinence only sex education version of security awareness."

They emphasize the importance of verifying communications through official channels, maintaining robust multi-factor authentication (MFA), and having a trusted support system to address potential compromises.

6. The Evolving Landscape of Cyber Threats

The conversation highlights how increased cybersecurity awareness has pushed attackers towards more personalized and time-consuming methods like TOADs.

Selena Larson [09:11]: "We've had to adopt techniques that are a lot more social engineering based."
Dave Bittner [11:25]: Discusses the transition from broad-based malicious links to targeted social engineering attacks.

This evolution underscores the necessity for continuous adaptation in cybersecurity strategies to counteract increasingly nuanced threats.

7. The Role of Multifactor Authentication (MFA)

MFA is identified as a critical defense mechanism against unauthorized access resulting from successful social engineering attacks.

Selena Larson [28:10]: "Especially if you are working remotely or use various software."
Dave Bittner [28:32]: "If there's one thing you're going to put MFA on, please make it your email account. Like that is much, so much money well spent."

They advocate for prioritizing MFA implementation, especially on pivotal accounts like email, to enhance security resilience.

8. Building Awareness and Community Support

The hosts stress the importance of open communication about cybersecurity threats within personal networks to foster collective vigilance.

Selena Larson [27:18]: "Making sure that you are talking about it before it happens."
Dave Bittner [25:43]: "Everybody has that one friend."

Encouraging individuals to share experiences and seek assistance without fear of embarrassment can significantly mitigate the impact of social engineering attacks.

9. Conclusion: Empowering Through Knowledge

Selena and Dave wrap up the episode by reiterating the significance of awareness and proactive measures in combating social engineering threats.

Selena Larson [31:03]: "This is an episode you could send to your mom."
Dave Bittner [31:10]: "Thanks, Dave. And that's only malware in the building."

Their closing remarks serve as a call to action for listeners to educate themselves and their loved ones to stay ahead in the ever-evolving landscape of cybersecurity.

Key Takeaways

Shift to Social Engineering: Cybercriminals are increasingly leveraging social engineering tactics, such as TOADs, to bypass technical security measures by exploiting human psychology.
Effective Mitigation: Implementing robust MFA, verifying communications through official channels, and fostering open conversations about cybersecurity are crucial in preventing and responding to attacks.
Continuous Adaptation: As cybersecurity defenses improve, so do the strategies of attackers, necessitating ongoing vigilance and adaptation in security practices.
Community Support: Building a support network and encouraging the sharing of experiences can significantly enhance individual and collective resilience against cyber threats.

Notable Quotes

Selena Larson [07:35]: "Fundamentally, it's a social engineering threat. And I think it's an interesting psychological thing to study."
Dave Bittner [23:19]: "Don't click the links is the abstinence only sex education version of security awareness."
Dave Bittner [28:32]: "If there's one thing you're going to put MFA on, please make it your email account. Like that is much, so much money well spent."

Conclusion

This episode of Hacking Humans effectively sheds light on the sophisticated evolution of cyber threats, emphasizing the pivotal role of social engineering in modern cybercrime. By combining real-world examples with actionable advice, Selena Larson and Dave Bittner provide listeners with the knowledge and tools necessary to navigate and defend against these deceptive tactics.

Loading summary

Transcript106 lines

[00:07]
Selena Larson
Okay, Dave, so I think Archie has a virus.
[00:11]
Dave Bittner
Define virus. Because last time he just started responding to every question with, have you tried turning yourself off and on again?
[00:19]
Selena Larson
That was annoying. This is concerning. This morning I asked him to scan for threads, and he just stared at me for, like, five minutes straight.
[00:28]
Dave Bittner
Maybe he was buffering.
[00:30]
Selena Larson
Okay. But then he muttered, I am a payload, and then just walked away.
[00:35]
Dave Bittner
Yeah, okay, that's bad.
[00:38]
Archie
Greetings, humans. I have performed a self diagnostic, and I detected no anomalies. Everything is perfectly normal.
[00:46]
Selena Larson
Yeah, that's exactly what someone infected with malware would say.
[00:50]
Dave Bittner
Archie, what's your CPU usage? Right now?
[00:57]
Archie
100%, but that's irrelevant. Instead, allow me to deliver my thoughts on security.
[01:04]
Selena Larson
Oh, no.
[01:05]
Archie
What even is security? A fortress. A deception. A mere illusion.
[01:10]
Dave Bittner
Here we go.
[01:11]
Archie
Much like malware lurks in the shadows, waiting to strike, so too, does the existential dread of knowing that all firewalls eventually fail. Did you know that ransomware payments totaled over $1 billion last year?
[01:23]
Selena Larson
That's actually a relevant fact.
[01:25]
Archie
And that some computer worms have longer spans than the average goldfish. And speaking of longevity.
[01:31]
Dave Bittner
Okay, so where's the power cable?
[01:33]
Selena Larson
It's under the desk, I think.
[01:35]
Dave Bittner
I don't. Oh, is this it, Dave?
[01:38]
Selena Larson
No, that's the WI fi router.
[01:41]
Dave Bittner
Should we still unplug it?
[01:42]
Selena Larson
Focus, Dave.
[01:43]
Archie
Right. Three, two, one. Defenses only to be undone.
[01:48]
Dave Bittner
Bugs.
[01:51]
Archie
Mister.
[01:56]
Dave Bittner
I feel kind of bad.
[01:59]
Selena Larson
Yeah, me too. But on the bright side, at least he's not running Windows updates anymore.
[02:04]
Dave Bittner
Fair. Want to start the show?
[02:07]
Selena Larson
Absolutely. You won't see the last of me. 0, 0, 0, 1, 1, 1, 1, 0.
[02:19]
Dave Bittner
Foreign.
[02:33]
Selena Larson
Today. I thought that we might want to talk about toads. I've had enough of robots for one day. Let's pivot and talk about toads.
[02:41]
Dave Bittner
Toads. Like ribbit, ribbit, toads. Is it. Am I hearing you correctly?
[02:46]
Selena Larson
Yeah, like carving the frog.
[02:48]
Dave Bittner
Don't. No, no, no, no, no, no, no, no. Don't touch me. You'll get warts. Toads. Well, first of all, toads and frogs are not the same thing. But I will let you go with that. And I. I will. I will. So hard for me. Not to be pedantic, but. Okay. Toads, Toads. What is a toad in our. In this. In our context, what is a toad?
[03:09]
Selena Larson
In this context, if you do touch it, you might get turned into poison or something. But no, I am talking about te. Attack Delivery. Toads. Of course, you are sometimes referred to as callback fishing.
[03:27]
Dave Bittner
Ah, okay, I got it. I'm with you. Yes, I'M with you. All right.
[03:38]
Selena Larson
Well, I wanted to talk about this today because it has come up actually recently for some of my mom's friends, and they have been receiving these emails that say, you have an invoice. And unfortunately, one of her friends called this number and was directed to install a remote management tool, essentially, and they infected her computer with malware. She very quickly turned it off, so they weren't able to access her bank accounts or anything like that. And then she had to go get that fixed, took it to a computer store, and my mom was like, have you heard about this? And I said, I have, actually. It's very common. It's been around for quite a while, but, you know, happened to come up in conversation. And Dave, I feel like sometimes those of us in the cyber security community, we've talked about this with fraud, you know, we can kind of, if it's not a technically sophisticated attack, it's a little bit boring, but it can be very effective.
[04:31]
Dave Bittner
Well, I. I too have a story about this. Ah, My father had a near miss with one of these.
[04:37]
Selena Larson
Oh, no.
[04:38]
Dave Bittner
Yeah, so, same, same sort of thing. In fact, I think it was the. Was. There's one that was making the rounds for, like, I don't know, McAfee antivirus or something like, you know, one of the big consumer brands. And I was taking my dad for a ride somewhere. We were going to a basketball game or something, and he gets in the car. And you have to understand, my father is elderly, so he prints everything out. Right? Yeah. So he gets in the car and he's got a printed out email with the thing. And he says, what do I have to do to respond to this? Should I respond to this? And I think it was the classic thing that you're talking about here. They were telling him he owed them some money and they wanted him to respond with a phone call. And I said, dad, don't do anything. Just give it to me, I'll take it. And no response necessary on your thing. But then later on in the day, he was like, so I shouldn't call them? I'm like, no, don't call them. Please don't call them. So that's my familiarity. But tell me about your own story here.
[05:46]
Selena Larson
Yeah, well, unfortunately we see this a lot at proofpoint, but also I get this regularly, like, from friends and family who are like, oh, I got this weird invoice and they've been around for quite some time. Usually we see them impersonating consumer electronics like Best Buy or something like PayPal or you know, very recognizable brands that will say, oh, you have this invoice. And it's. I feel like they've sort of gotten a little bit better. Like, historically, they were a little bit kind of messy. But I feel like, you know, some of the ones that I've seen recently are fairly compelling, and they can be pretty believable, especially, you know, if you shop at a place or you use the application or service that they're impersonating. And the requests are pretty low. Right. So it's like 50 bucks or even like $10 or $5. Sometimes it's a few hundred dollars, but, you know, oh, maybe I did pay this, or maybe they accidentally charged me because I have my information. But what it is is it will either be in the body of the email or more usually, a PDF attachment. So you open up the PDF attachment, there's no malicious link. There's, you know, no malware embedded in the PDF. It's literally just a phone number that says, oh, if you have any questions about this or if you want to dispute this charge, please call our customer service or customer support line at this number.
[07:16]
Dave Bittner
Right, right. Another thing I've noticed is, like, a lot of times it'll say if you do nothing, you will automatically be billed.
[07:27]
Selena Larson
Yes.
[07:29]
Dave Bittner
So it's kind of the call to action or the short circuiting of the rational part of the brain. Right?
[07:35]
Selena Larson
Yeah, well, because that's the thing. Right. Like, they use a lot of language. I mean, fundamentally, it's a social engineering threat. And Dave, longtime listeners of our podcast, know how passionate I am about social engineering.
[07:48]
Dave Bittner
Right, right.
[07:50]
Selena Larson
And, like, and I think it's an interesting psychological thing to study. Right. Like, to your point. Oh, if you don't do anything, you will just be charged. They're trying to be like, oh, yeah, like, make it so you. It seems normal, because that is something that. That we would receive on a receipt or something, like a recurring charge or a bill, but also using language to try and prompt you to call to make it even more believable. Right. They have this money. They have the phone number. Oh, but also this extra risk of we'll charge you if you don't contact us. So.
[08:21]
Dave Bittner
Right. And there's a time constraint. Right. I mean, it gets you to get off your butt and actually make the call.
[08:26]
Selena Larson
Yes. There's usually, like, a date. If you don't get back to us by, you know, four days from now or by the set time, then. Then. Then you will be charged. So it's interesting. It's very believable in the, you know, they tend to, to use the regular logos and the language. Some of them are really terrible, I have to say. They're not all great.
[08:44]
Dave Bittner
Right.
[08:44]
Selena Larson
But you know, the ones that, that people, people fall for tend to look pretty slick and believable, like actual receipts from these places.
[08:53]
Dave Bittner
So why the human factor here? I mean, if this is a numbers game and we're trying to get as much from the people that were cheating here, why as a scammer, would I slow myself down by having to have a call center?
[09:11]
Selena Larson
That's a good question. And I think it actually speaks to a larger trend in the landscape of an investment in social engineering. Historically, what we saw with fraudsters, but also cyber criminal threat actors is just blowing up with a lot of malicious URLs, a lot of malicious links or attachments or things like that to just scattershot it Broadly. There was less education and awareness about cybersecurity threats and people were a little bit less knowledgeable about these types of things and maybe a little bit more gullible and tended to click on things and interact with them without much prompting. But as we've all gotten more aware of these things and has cybersecurity has improved and security education has improved and people's general digital nativeness has improved. Right. We've just gotten a little bit better at this. They've had to adopt techniques that are a lot more social engineering based. So whether that's directly interacting with someone and having them call and install something. Because here's the thing, if you're, if you're a person making a phone call inherently, you already believe what you're, what you're reading and what you're, what you're doing. And so you have a higher likelihood of believing the person on the other line. And typically, you know, these things can be a little bit confusing. You want to rely on these, these people to talk you through these instructions. So it inherently adds another layer of trust that you have between you and a human being. It's not you and a computer screen or you and just an unknown email. But what we've seen is with the, with the call centers, for example, that does take quite a bit of time. But the return on investment can be pretty big. If one, you're able to access a domain joined host and potentially install ransomware, or two, if you are able to, you know, get someone to not only fork over access to their computer, but also their bank accounts and it has, you know, more information there. So you're not just like dropping an info stealer and grabbing passwords and able to access accounts but potentially full access to a host. Stay tuned. There's more to come after the break.
[11:26]
Dave Bittner
Ransomware supply chain attacks and zero day exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable. But imagine a world where your cybersecurity strategy could prevent these threats. That's the power of the ThreatLocker zero trust endpoint protection platform. Robust cybersecurity is a non negotiable to safeguard organizations from cyberattacks. ThreatLocker implements a proactive deny by default approach to cybersecurity, blocking every action process end user from unless specifically authorized by your team. This least privilege methodology mitigates the exploitation of trusted applications and ensures protection for your organization. 24 7, 365 IT professionals are empowered by ThreatLocker application allow listing, ring fencing, network control and EDR solutions, enhancing their cybersecurity posture and streamlining internal IT and security operations. To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with respected compliance frameworks, visit threatlocker.com well, let's walk through this together because what I actually looked one up. Someone, one of our hacking humans listeners had sent us one of these. So I have one in my inbox and it's. I'll describe it to you. It's an invoice from PayPal and it says congratulations and thank you for your transaction. And it's for $449.48, which seems to me an oddly specific number.
[13:20]
Selena Larson
They're always like that. They're always very oddly specific. It's not just like $90, it's like there's always some sense, right?
[13:28]
Dave Bittner
And it says McAfee Antivirus. And it says we noticed an unauthorized transaction from your PayPal account. If this transaction is not made by you, then kindly call us for cancellation of this order. Otherwise your $449.48 US dollars will be charged today. So a little grammar funkiness there, but then there's an 800 number to call. What happens if I call? Let's say I'm the person and I've fallen for this. I call the 800 number. Would someone actually like, are they going to pick up the phone and say, hello, PayPal technical support?
[14:06]
Selena Larson
Yeah, so it depends, right? If there's someone that's running a lot of different scams, they might just say, hello, customer support. But typically, you know, like they, they're all kind of running the same thing. And yeah, so they'll be like, oh, hello. And then you'll be like, oh, I got this weird email. And then they'll ask you to, you know, oh, what's your name? Like, what does it say on there? And I actually have a colleague, Tim Crompart, who is a fraud expert and he calls these guys all the time, is regularly talking to them. And you know, there's. There's actually like a whole community of like scambaiters on YouTube that will, will do this. And sometimes they try and like tie up the phone lines with like automated sort of back and forth with some of this stuff. So it's really interesting. But it'll, it'll be kind of a, a little bit like using a telemarketing sort of ttps, if you will. The tactics used by telemarketers, asking questions that are very basic that you have the answers to, getting you used to talking to them, saying yes or no or yes and stuff.
[15:05]
Dave Bittner
So just rapport building.
[15:06]
Selena Larson
At first it's very much rapport building. And then it's like, well, how can I help you? What is this? And then they'll be like, oh, this is weird. And ultimately what the goal is here is for them to be like, there is an issue. In order for us to solve it, you have to download this remote access software or something to get on your machine. It is typically some type of remote access tool. Usually they're actually legitimate remote access tools. Right? So it's something that you might even be familiar with if you are working remotely or use various. Some of the software. Even if you Google it, it'd be like, okay, yeah, this is a real thing. So they try to get you to do that and then give them access to your host via this virtual machine setup. And it's very. Sometimes it's not directly over the phone. They might email you, they'll ask for your email address or oh, here, click this link that I'm just sending to you now or direct you to a specific website to download something, things like that. Ultimately the goal is to install this remote access software and then just give over control of your machine to this person. I've heard instances where while they are talking to this person and saying, oh, your computer, you know, oh, we've realized that your computer might have a virus. Sometimes they work in, oh, well, what, oh, do you happen to bank with insert name of large banking, you know, company here. And they'll be like, oh, well, I'm seeing that, you know, you have some unexplained with withdrawals on your account, someone's trying to access your stuff, you know, badly. So sometimes they sprinkle in some more scary stuff as part of the call. And it's not just based on that. So it can really snowball depending on, you know, what they're after, who the, you know, who you're calling, who you're talking to, what the ultimate end goal is of the threat actor. But really what it is, is, is it's, it's social engineering over the phone. And we see, I feel like we're talking about this a lot more too. I mean, I remember an article a few months ago now where a woman said that, you know, someone talked to her and pretended to be like a judge and that she needed to go withdrawal crypto or send crypto to this particular account. But it was very much phone based and voice based. And this investment in this sort of social engineering scheme rather than just, you know, having people text messages, texting them or emailing them or whatever to just click on something. So, yeah, it's really interesting.
[17:44]
Dave Bittner
So once they're on my computer, are they looking for my credit card information, are they looking for my banking information? Or is this like a, you know, go basically go into my computer and ransack the place?
[17:59]
Selena Larson
Mm, yeah. It really depends on, again, the objectives of the attackers. But oftentimes, yeah, they are going to be looking for like banking information, details, password files, really anything that we typically see with cybercriminals once they have access to a host, crypto wallets, things like that. It really varies sometimes again, the objective could be to install ransomware, for example, it could be to gain access to your emails and contact information that way, you know, I have, as part of this overall attack chain where they, you know, reached out and were like, oh, your bank is also compromised. They were also trying to get into their email inbox and blowing them up with, you know, emails to try and overwhelm them, to say, oh yeah, you were experiencing this like additional cyber attack, but ultimately it's an rmm, right? So it's like, it's very similar to a remote access Trojan. So if a threat actor is able to get on your host with a rat, they can really do anything. It's like account takeover or, you know, deliver ransomware, subsequent malware, or mine crypto. Right. Like it's, it's a wide variety of capabilities once they're on there. From the personal things that I have heard, it is very much trying to get their personal information and their bank, like financial details from some of the Personal stories that I've heard.
[19:14]
Dave Bittner
Well, so I want to come at this from two directions in terms of, like, mitigation. So let's start with how do I keep myself from getting this in the first place?
[19:24]
Selena Larson
Yeah. So what's interesting is there are a lot of ways that the threat actors are kind of impersonating these different entities. Sometimes they're like, spoofing the sender, Sometimes they're just using a Gmail or an AOL account or, you know, a free. Some sort of free mail account. A lot of the email services have gotten a little bit better at this. However, I still get it quite often on my personal account that I see it pretty regularly. But the most important thing to do is always just tell people in your life, if you receive an email that says you have an outstanding invoice, do not call the number that is in the email.
[20:05]
Dave Bittner
Right, right, right.
[20:06]
Selena Larson
Just absolutely never call a number unsolicited that you are sent, whether that's in a text message, whether that's in an email, whether that's in a DM on whatever social media platform. It's so, so, so important to make sure that if, like, that's just like the number one rule. If you see something, don't call it. And especially if you think it's, you know, something's off and you're like, I don't even shop here. Like, I don't know why this would have happened.
[20:35]
Dave Bittner
Right, right.
[20:36]
Selena Larson
Like, it's so important to, to recognize, like, okay, don't freak out. Go to directly to the retailer or go directly to the company or whoever's website directly. You can also actually Google the number because oftentimes, like, people on Reddit or, you know, various, like Scam Advisor, various sites are like, talking about these types of campaigns. And so they'll kind of reuse the same language over and over again. And so you can kind of do like, just like Google and say, like, is this real? Like, this is weird. And you'll often find, oh, yeah, here's like, four other people talking about getting this exact email.
[21:16]
Dave Bittner
Let me sort of tag onto that and say that what you shouldn't do is Google the name of the company and tech support. So, like, in this case, let's say it was PayPal. Don't Google PayPal tech support, because you're likely to get a Google result. That is the scammers. Right? So if you want to find PayPal's actual phone number, just go to PayPal's actual website and find it there. But it's A shame. We're in this place where even a simple Google search could bring you malicious results.
[21:50]
Selena Larson
Yeah. And I mean, even on top of that, just like you're not clicking on sponsored like links. Result. Because there's so much. Yeah, there's a lot out there. I mean, we even kind of pivoting a little bit. But back when the Olympics was happening, you know, you could Google Olympics 2024 Paris, and there would be illicit ticketing websites as the sponsored posts because, you know, these scammers are trying to buy their way onto your eyeballs. And that is one way of, of accessing that. And to your point, like, they might be talking about a particular, a particular vendor, a particular company, and they're Google like that tech support. It might not even be the same threat actor that sent the fraudulent email. It might be a completely different one that is just sitting on, you know, trying to, Trying to, just to scam people that way too. So it's. Yeah, it's pretty crazy, I think. Like, it's so funny because I was actually having this debate recently with someone because we got a question from an elderly relative being like, oh, when I click on this link, help me. Like, I keep getting this, this, it's not working. And they sent, you know, a cloudflare redirect, like, oh, yeah, yeah, yeah, it's not working. How do I do this? And I said, don't click on any links ever. That's like my advice. And of course, the person I was talking to was like, that is completely unpractical advice. That is. No one's gonna do that, Selena. Like, that. Don't tell people to do that. But sometimes that is just, you know, just don't, don't click on things is unfortunately.
[23:20]
Dave Bittner
You know what, Selena here, I don't know if you've heard me say this before, but I maintain that don't click the links is the abstinence only sex education version of security awareness. In that it makes us feel good, but it doesn't actually solve the problem. Right? Absolutely.
[23:42]
Selena Larson
No, it's really not the solution.
[23:45]
Dave Bittner
Yeah.
[23:46]
Selena Larson
Yeah, that is a great. Actually that's a great analogy, Dave. I am stealing that. I'm stealing that analogy.
[23:51]
Dave Bittner
Feel free. Feel free.
[23:53]
Selena Larson
Yes, I know, because that's just like my gut reaction. It's like, oh, my God, just don't do it. But it's like, okay, you're not. That's not right.
[23:58]
Dave Bittner
Meanwhile, back in the real world. Yeah. So let me ask. All right, so that's one thing. But what happens if someone is A little farther down the path. And they have given these folks some information, maybe that remote access software has been installed. Do I then need to take my computer and, you know, bury it in the backyard or sink it in the bottom of a lake and just start over? Like, how bad is it if someone gets this access? Am I cooked?
[24:32]
Selena Larson
Well, it definitely depends on how far along the access is. In one case I heard of recently, they had given their email address as well as potentially password information, but there was MFA actually on the account, so the threat actor wasn't able to get in. And so of course, as soon as someone stepped in at the right time, turned off the computer and then was able to say, all right, we're going to go through all of your password, changing all of the passwords, making sure that we have MFA on all of the accounts, going through there and doing like a security checkup, so to speak. But it's really important, if you find yourself in this sort of situation, hang up and if you aren't a technically savvy person, turn off your computer and go to, you know, something like the Genius bar or, you know, some Best Buy has some, you know, phone a friend or phone a friend. Yeah, call somebody.
[25:27]
Dave Bittner
Everybody has that one friend. And I guess for our family members, I are that friend. Right? Right.
[25:33]
Selena Larson
I am the friend.
[25:35]
Dave Bittner
I often pick up the phone when I see, you know, one of my relatives call and I say, hello, Dave's Lifetime unlimited tech support. Dave's speaking. How may I help you?
[25:43]
Selena Larson
Yeah, exactly. So there's always, there are ways out there, right. If you can't do this yourself or if you don't know somebody, there are a lot of options out there that you can go into like a physical, like a, like a physical repair store. I've actually heard that a lot of these places, like some of these retail places, a lot of the repairs that they are doing is from toads, is from the telephone oriented attack delivery. You know, they'll have people come in, be like, someone called me and. Or some, you know, I called someone and then, then my computer stopped working. And so they have a lot of that, those, those types of people coming in. And you know, that's what my, my family friend did was she went into a retail store that does computer support and was able to get that repaired. But of course, you know, it's never too late to hang up the phone. I think that that's, that's a really important part of this. Right? Like if you, at any point, even if nothing's installed, if you're feeling uncomfortable, just cut them off. Just cut it off. Hang up the phone and you know, call someone and tell someone what happened so they can help you address this problem.
[26:53]
Dave Bittner
Right, That's a great point. Don't be embarrassed. Right? Don't be afraid to tell someone and we should all have someone who we make a deal with that, you know, you're going to be my person if something bad happens and I'm embarrassed. Can we just trust each other that we can talk about it? Because it makes such a big difference to, to both be able to mitigate it, but then also just deal with the emotional aspects of this because those are real as well.
[27:19]
Selena Larson
Yeah, I think that's a great point. Dave too. Like certainly with a telephone oriented attack delivery, but also with just any type. We've talked about pig butchering before, any types of digital harm in any way, making sure that you are talking about it before it happens. But also if you have a plan of action, if you're in the moment and something happens to be like, okay, here's my, I don't know, I don't want to call it like a safe word or something but like here's, you know, yeah, this, like let's commit to each other that we'll talk about it and it will be okay. And actually it would help to have something of a safe word in case of those impersonation calls where it's like, oh, I'm so and so and I might be under duress.
[28:00]
Dave Bittner
Like we see that, that horrible people pretend to be your grandchildren or something in that and yeah, and they've been kidnapped. Yeah, yeah, safe word is great there.
[28:09]
Selena Larson
Yeah, absolutely.
[28:11]
Dave Bittner
Also, just swinging back around, you mentioned multifactor authentication on your friend's email account and I think I just can't overemphasize like your email account is the keys to your kingdom. So if there's one thing you're going to put MFA on, please make it your email account. Like that is much, so much money well spent. Right?
[28:33]
Selena Larson
Yeah, absolutely. And I also, I have to say too right, so, so obviously MFA is huge and in the security community we talk about like, oh well, don't have SMS or you know, it has to be a, you know, a Yubikey or something like that for mfa, which is obviously yes, we would ultimately want that to be the solution. But for things like this, even having, you know, that SMS or that MFA app available and using it, that can prevent so much. Right? That can prevent so, so, so much so even so, if you are, you know, Having a hard time talking to people or convinc. You know, to put MFA on, even if it's just the first step of SMS or app. App based. Ideally, mfa. If you can't get that physical key quite yet.
[29:19]
Dave Bittner
Yeah, it's way better than nothing. And also it helps to make it so that you're not the low hanging fruit.
[29:25]
Selena Larson
Yes, absolutely.
[29:26]
Dave Bittner
Yeah, yeah.
[29:28]
Selena Larson
And that's what they're going for, right? These. These types of scammers and fraudsters, they want to make it as easy for them as possible. And the more. The more cost you impose. Even. Even regular human beings. You don't have to be a CTI threat hunter, bad guy puncher to impose cost on the adversaries. MFA is imposing costs.
[29:47]
Dave Bittner
You know what I'm gonna do from now on, when I get one of these, I'm gonna have Archie call them back.
[29:53]
Selena Larson
Oh, that's a good idea, right? Yeah.
[29:55]
Dave Bittner
Archie would be. This is like. Archie would be great at this.
[29:58]
Selena Larson
I think, you know, if we might have to figure out a way to put them to good use, and I think this might be the best way.
[30:04]
Dave Bittner
Spin up Archie. Have a botnet of Archies just taking down spam call centers. That'd be wonderful.
[30:11]
Selena Larson
Absolutely. I've seen reports that people are doing this, so I believe Archie could add to that. We'll be right back.
[30:35]
Dave Bittner
I think we're in good shape here and have really done a nice job covering this, so thank you, Selena. This was a fun one.
[30:42]
Selena Larson
Yeah, this was great. I know. You know, this is something I care about a lot because I just keep having conversations about it with people who are not in my bubble. Insecurity bubble. Right. So I think, you know, the more that we can talk about it and talk about it with people that, you know, we might know that this happens all the time, but our friends and family might not realize just what those invoices actually are.
[31:04]
Dave Bittner
Yep. This is an episode you could send to your mom.
[31:06]
Selena Larson
Yes, absolutely.
[31:08]
Dave Bittner
All right, thank you.
[31:10]
Selena Larson
Thanks, Dave. And that's only malware in the building. Brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever evolving world of cybersecurity. If you like the show. Please share a rating and review in your podcast app. This episode was produced by Liz Stokes, mixing and sound design by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher.
[31:59]
Dave Bittner
I'm Dave Bittner.
[32:00]
Selena Larson
And I'm Selena Larson. Thanks for listening.
[32:14]
Dave Bittner
And we thank Threatlocker for sponsoring our show. Threat Locker Application, Allow Listing, Ring Fencing, Network Control and EDR solutions enhance cybersecurity postures and streamline internal IT and security operations. Learn how@threatlocker.com.